Professional Documents
Culture Documents
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and
evaluate Active Directory Rights Management Services (AD RMS) across multiple forests in
Windows Server® 2008. It includes the necessary information for installing and configuring
AD RMS in two forests and configuring a trusted user domain so that users from both forests can
exchange rights-protected content.
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the example
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
4
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this guide, you will have two working AD RMS infrastructures configured with
a trusted user domain. You can then test and verify AD RMS and AD FS functionality as follows:
• Restrict permissions on a Microsoft® Word 2007 document in the CPANDL.COM
domain.
• Have an authorized user in the TREYRESEARCH.NET domain open and work with
the document.
The test environment described in this guide includes eight computers connected to a private
network and using the following operating systems, applications, and services:
Note
Domain controllers running
Windows 2000 Server with
Service Pack 4 can be
used. However, in this
step-by-step guide it is
assumed that you will be
using domain controllers
running either Windows
Server 2003 with SP2 or
Windows Server 2008.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server® 2005
TREY-DB Standard Edition with Service
Pack 2 (SP2)
Note
Before installing and configuring the components in this guide, you should verify that your
hardware meets the minimum requirements for AD RMS
(http://go.microsoft.com/fwlink/?LinkId=84733).
5
The computers form two private intranets and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment, if desired. This step-
by-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named
cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is
TREY-DC. The following figure shows the configuration of the test environment:
6
• Create user accounts and groups
• Configure the AD RMS database server (TREY-DB)
• Configure the AD RMS root cluster computer (TREY-ADRMS)
• Configure the AD RMS client computer (ADRMS-CLNT2)
Use the following table as reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity.
7
Configure the Windows Server 2003–based domain controller
To configure the domain controller TREY-DC, you must install Windows Server 2003, configure
TCP/IP properties, install Active Directory, and raise the Active Directory domain functional level
to Windows Server 2003.
First, install Windows Server 2003 with SP2 on the TREY-DC computer.
In this step configure TCP/IP properties so that TREY-DC has a static IP address of 10.0.0.30.
8
computer to use this DNS server as its preferred DNS server option, and then
click Next.
8. Click the Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems option, and then click Next.
9. In the Restore Mode Password and Confirm Password boxes, type a strong
password, and then click Next.
10. Click Next.
11. When the Active Directory Installation Wizard is done, click Finish.
12. Click Restart Now.
Note
You cannot change the domain functional level once you have raised it.
5. Click OK, and then click OK again.
9
Configure the Windows Server 2008–based domain controller
To configure the domain controller TREY-DC, you must install Windows Server 2008, configure
TCP/IP properties, and install Active Directory Domain Services.
First, install Windows Server 2008.
Next, configure TCP/IP properties so that TREY-DC has a IPv4 static IP address of 10.0.0.30.
10
5. Click the Create a new domain in a new forest option, and then click Next.
6. In the FQDN of the forest root domain box, type treyresearch.net, and then
click Next.
7. In the Forest functional level box, click Windows Server 2003, and then click
Next.
8. In the Domain functional level box, click Windows Server 2003, and then click
Next.
9. Ensure that the DNS server check box is selected, and then click Next.
10. Click Yes, confirming that you want to create a delegation for this DNS server.
11. On the Location for Database, Log Files, and SYSVOL page, click Next.
12. In the Password and Confirm password boxes, type a strong password, and
then click Next.
13. On the Summary page, click Next to start the installation.
14. When the installation is complete, click Finish, and then click Restart Now.
Note
You must restart the computer after you complete this procedure.
11
Account Name User Logon Name E-mail address
ADRMSADMIN ADRMSADMIN
ADRMSSRVC ADRMSSRVC
Once the user accounts have been created, an Active Directory Universal group should be
created with Terrence Philip as a member. The following table lists the Universal group that
should be added to Active Directory. Use the procedure following the table to create the Universal
group.
Employees employees@treyresearch.net
12
the Universal option for the Group Scope, and then click OK.
Finally, add Terrence Philip to the Employees group by following these steps:
In this step, configure TCP/IP properties so that TREY-DB has a static IP address of 10.0.0.34.
Next, join the AD RMS database server (TREY-DB) computer to the TREYRESEARCH domain:
13
To join ADRMS-DB to the TREYRESEARCH domain
1. Click Start, right-click My Computer, and then click Properties.
2. Click Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and
then type treyresearch.net.
4. Click More, and then type treyresearch.net in the Primary DNS suffix of this
computer box.
5. Click OK twice.
6. When a Computer Name Changes dialog box appears prompting you for
administrative credentials, provide the credentials for
TREYRESEARCH\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the
treyresearch.net domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click OK again.
9. Click Yes to restart the computer.
14
14. Click Finish.
Next, add ADRMSADMIN to the local Administrators group on TREY-DB. The AD RMS installing
user account needs this membership in order to create the AD RMS databases. After AD RMS
installed, ADRMSADMIN can be removed from this group.
Next, configure TCP/IP properties so that TREY-ADRMS has a static IP address of 10.0.0.33. In
addition, configure the DNS server by using the IP address of TREY-DC (10.0.0.30).
15
click Manage Network Connections, right-click Local Area Connection, and then
click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then
click Properties.
4. Click the Use the following IP address option. In IP address, type 10.0.0.33. In
Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.30.
6. Click OK, and then click Close to close the Local Area Connection Properties
dialog box.
After the computer has restarted, add ADRMSADMIN to the local administrators group on TREY-
ADRMS.
16
Add the AD RMS server role to TREY-ADRMS
Windows Server 2008 includes the option to install AD RMS as a server role through Server
Manager. Both installation and configuration of AD RMS are handled through Server Manager.
The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is
composed of one or more AD RMS servers configured in a load-balancing environment. This
section will install and configure a single-server AD RMS root cluster in the treyresearch.net
domain.
Registering the AD RMS service connection point (SCP) requires that the installing user account
be a member of the Active Directory Enterprise Admins group.
Important
Access to the Enterprise Admins group should be granted only while AD RMS is being
installed. After installation is complete, the TREYRESEARCH\ADRMSADMIN account
should be removed from this group.
17
Management Server check box is selected, and then click Next.
10. Click the Create a new AD RMS cluster option, and then click Next.
11. Click the Use a different database server option.
12. Click Select, type TREY-DB in the Select Computer dialog box, and then click
OK.
13. In Database Instance, click Default, and then click Validate.
14. Click Next.
15. Click Specify, type TREYRESEARCH\ADRMSSRVC, type the password for the
account, click OK, and then click Next.
16. Ensure that the Use AD RMS centrally managed key storage option is
selected, and then click Next.
17. Type a strong password in the Password box and in the Confirm password
box, and then click Next.
18. Choose the Web site where AD RMS will be installed, and then click Next. In an
installation that uses default settings, the only available Web site should be Default
Web Site.
19. Click the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type trey-adrms.treyresearch.net,
and then click Validate. If validation succeeds, the Next button becomes available.
Click Next.
21. Click the Choose an existing certificate for SSL encryption option, click the
certificate that has been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name
box, and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is
selected, and then click Next to register the AD RMS service connection point (SCP)
in Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes
to complete the installation.
27. Click Close.
28. Log off the server, and then log on again to update the security token of the
logged-on user account. The user account that is logged on when the AD RMS
server role is installed is automatically made a member of the AD RMS Enterprise
Administrators local group. A user must be a member of that group to administer
AD RMS.
18
Note
At this point in the guide, you can remove treyresearch\ADRMSADMIN from the local
Administrators group on TREY-DB.
Your AD RMS root cluster is now installed and configured.
Next, configure TCP/IP properties so that ADRMS-CLNT2 has a static IP address of 10.0.0.32. In
addition, configure the DNS server of TREY-DC (10.0.0.30).
19
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, select the Domain option,
and then type treyresearch.net.
5. Click More, and in the Primary DNS suffix of this computer box, type
treyresearch.net.
6. Click OK, and click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you
for administrative credentials, provide the credentials for treyresearch\administrator,
and then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you
to the treyresearch.net domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that
the computer must be restarted, click OK, and then click Close.
10. In the System Settings Change dialog box, click Yes to restart the computer.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007
allow you to create rights-protected content. All editions will allow you to consume rights-
protected content.
20
Create a trusted user domain between the
AD RMS installations
In a default AD RMS installation, use licenses are not issued to users whose rights account
certificates were issued by a different AD RMS cluster. You can configure AD RMS so that it
processes this type of request by importing the trusted user domain of another AD RMS
installation.
The trusted user domain must be exported from one AD RMS cluster and then imported into the
other. A trusted user domain is required only if the AD RMS clusters are in a different forest.
First, export the trusted user domain by using the Active Directory Rights Management Services
console.
Note
For scenarios in which the domains are in different networks, make sure that the
users in the second domain can access the location of this file.
Next, import the trusted user domain that was just exported from the AD RMS cluster in the
CPANDL domain into the TREYRESEARCH domain by using the Active Directory Rights
Management Services console.
21
6. In the Display name box, type CPANDL.COM, and then click Finish.
Finally, repeat the above procedures and import the Trey Research trusted user domain file into
the CPANDL domain.
Note
For scenarios in which the domains are in different networks, make sure that the
users in the second domain can access the location of this file.
22
2. Click Start, point to Administrative Tools, and then click Internet Information
Services (IIS) Manager.
3. If the User Account Control dialog box appears, confirm that the action it
displays is what you want, and then click Continue.
4. Expand the domain node, expand Sites, expand Default Web Site, and then
expand _wmcs.
5. Right-click the licensing folder, and then click Switch to Content View.
6. Right-click ServiceLocator.asmx, and then click Switch to Features View.
7. Under IIS, double-click Authentication, right-click Anonymous Authentication,
and then click Enable.
8. Right-click the licensing directory again, and then click Switch to Content View.
9. Right-click license.asmx, and then click Switch to Features View.
10. Double-click Authentication, right-click Anonymous Authentication, and then
click Enable.
11. Log on to TREY-ADRMS as treyresearch\adrmsadmin and repeat steps 1-10 for
the treyresearch.net domain.
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
23
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0
dn: CN=Contact,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
dn: CN=Group,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
dn: CN=User,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
Finally, you should run the ldifde.exe command to extend the schema by using the following
procedure:
24
To run the ldifde command to extend the schema
1. Log on to CPANDL-DC as cpandl\administrator.
2. Click Start, and then click Command Prompt.
3. Type the following, and then press ENTER:
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which Windows Server 2008 is installed.
4. Type the following, and then press ENTER:
ldifde.exe -s cpandl-dc -v -i -k -f cpandl.ldf /c
"CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
"CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
Note
The last two entries of this command are the same because the source and
target name are the same.
5. To confirm that the command was successful, the last two lines of the output
should say the following:
4 entries modified successfully. The command has completed successfully.
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
25
searchFlags: 0
dn: CN=Contact,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
dn: CN=Group,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
dn: CN=User,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
Finally, you should run the ldifde.exe command to extend the schema by using the following
procedure:
26
ldifde.exe -s trey-dc -v -i -k -f trey.ldf /c
"CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
"CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
Note
The last two entries of this command are the same because the source and
target name are the same.
5. To confirm that the command was successful, the last two lines of the output
should say the following:
4 entries modified successfully. The command has completed successfully.
27
Users and Computers.
3. Click View, and then click Advanced Features.
4. Expand treyresearch.net, right-click Users, point to New, and then click
Contact.
5. In the Full Name and Display name boxes , type Nicole Holliday, and then
click OK.
6. Open the Users folder, and then double-click the Nicole Holliday contact object.
7. In the E-mail box, type nhollida@cpandl.com, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes
box, and then click Edit.
9. In the Value to add box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the Nicole Holliday properties sheet.
Next, create the distribution groups and assign the appropriate msExhOriginatingForest schema
attribute for each group.
To create the Trey Research Employees distribution group for the cpandl.com domain
1. Log on to CPANDL-DC as cpandl\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. Click View, and then click Advanced Features.
4. Expand cpandl.com, right-click Users, point to New, and then click Group.
5. In the Group name box, type Trey Research Employees, click the Universal
option, click the Distribution option, and then click OK.
6. Open the Users folder, and then double-click the Trey Research Employees
distribution group.
7. In the E-mail box, type employees@treyresearch.net, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes
box, and then click Edit.
9. In the Value to add box, type treyresearch.net, click Add, and then click OK.
10. Click OK to close the Trey Research Employees properties sheet.
Finally, create the distribution group and assign the appropriate msExchOriginatingForest schema
attribute for each group.
To create the CPANDL Employees distribution group for the treyresearch.net domain
1. Log on to TREY-DC as treyresearch\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. Click View, and then click Advanced Features.
28
4. Expand treyresearch.net, right-click Users, point to New, and then click Group.
5. In the Group name box, type CPANDL Employees, click the Universal option,
click the Distribution option, and then click OK.
6. Open the Users folder, and then double-click the CPANDL Employees
distribution group.
7. In the E-mail box, type employees@cpandl.com, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes
box, and then click Edit.
9. In the Value to add box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the CPANDL Employees properties sheet.
To add AD RMS cluster URLs to the Internet Explorer Local Intranet security zone
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, click Control Panel, click Network and Internet, and then click
Internet Options.
3. Click the Security tab, and then click Local Intranet.
4. Click Sites, and then click Advanced.
5. In the Add this website to the zone box, do the following:
a. Type https://adrms-srv.cpandl.com, and then click Add.
b. Type https://trey-adrms.treyresearch.net, and then click Add.
6. Repeat steps on ADRMS-CLNT2 for Terrence Philip (treyresearch\tphilip).
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a
Microsoft Word 2007 document, and then restrict permissions on it so that Terrence Philip is able
to read the document but is unable to change, print, or copy it. You then log on as Terence Philip,
verifying that Terence Philip can read the document but do nothing else with it.
29
To restrict permissions on a Microsoft Word document
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, point to All Programs, click Microsoft Office, and then click
Microsoft Office Word 2007.
3. Type Only Terence Philip can read this document, but cannot change, print,
or copy it. Click Microsoft Office Button, point to Prepare, point to Restrict
Permission, and then click Restricted Access.
4. Select the Restrict permission to this document check box.
5. In the Read text box, type tphilip@treyresearch.net, and then click OK to close
the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as
\\adrms-db\public\ADRMS-TST.docx.
7. Log off as Nicole Holliday.
You have successfully deployed and demonstrated the functionality of using AD RMS across
forests, using the simple scenario of applying restricted permissions to a Microsoft Word 2007
30
document. You can also use this deployment to explore some of the additional capabilities of
AD RMS through additional configuration and testing.
31